IT Security News Blast 6-29-2017

Pennsylvania-based Heritage Valley Health System (HVHS) reported that it had experienced a cybersecurity incident on June 27, 2017. […] “The incident is widespread and is affecting the entire health system including satellite and community locations,” HVHS said in its online statement. “We have implemented downtime procedures and made operational adjustments to ensure safe patient care continues un-impeded.”

Highly skilled cyber analysts play an important role, but to achieve peak performance from both human and machine, automation within the network is needed. A new network approach—a single platform that is simple, automated, intelligent and secure—will better enable the U.S. Cyber Mission Force to operate within an enemy’s decision cycle and preserve U.S. supremacy across all five domains: land, sea, air, space and cyberspace.

Armada Collective, a group of online attackers, is demanding a ransom payment of $315,000 from South Korean banks – In the case of refusal, the group has threatened the banks with a series of massive Distributed Denial of Service (DDoS) attacks. The threats came days after South Korean web hosting company NAYANA paid over $1 million to cyber criminals who held the company’s Linux-based servers for ransom for over a week after infecting them with Erebus ransomware.

Maersk’s port operator APM Terminals was also hit, with Dutch broadcaster RTV Rijnmond reporting that 17 shipping container terminals run by APM Terminals had been hacked, including two in Rotterdam and 15 in other parts of the world. The RTV report said computers were infected by ransomware that encrypted hard drives at APM Terminals. The container shipping industry has lagged some other sectors in bringing more of its processes online.

Windows 10 users could potentially be faced with more security problems as the source code behind the Microsoft operating system accidentally got leaked online. The code contained files related to USB storage and Wi-Fi and was on a site called Beta Archive. This website keeps track of Windows releases and often contains archived builds of the OS. Such code is only shared with Microsoft’s most trusted partners and customers.

The research team used a simple loop antenna, attached it to an external amplifier and bandpass filters bought online, and then plugged it into a software defined radio USB stick they bought for €20. The entire cost of the setup was less than €200 and the device could be hidden in a jacket or laptop case. […] “Using this approach only requires us to spend a few seconds guessing the correct value for each byte in turn (256 options per byte, for 32 bytes – so a total of 8,192 guesses),” they wrote [PDF]. “In contrast, a direct brute-force attack on AES-256 would require 2256 guesses and would not complete before the end of the universe.”

As the virtual attack spreads — security firm McAfee said the virus has reached multiple continents — cybersecurity stocks have spiked by as much as 4 percent or more. Root9B, the No. 1-ranked company on a top-500 list from Cybersecurity Ventures, rose 4.1 percent on Wednesday, to $8.85 per share. Email-management software company Mimecast’s stock rose 6.2 percent, to $27.17 per share.

The “Barista” assessment, as it’s called, has helped Trustwave hire experienced engineers with educational backgrounds ranging from high school diplomas to degrees from the country’s best universities, Smart said. […] “Most people, when you say, ‘(For) our interview process, we’re going to ask you to code a coffee machine,’ their first answer isn’t, ‘Oh, that makes a lot of sense.’ It’s a pretty weird thing,” Smart said. “It has nothing to do with (cybersecurity), but we love people who come back with really interesting solutions.”

When a state takes defensive measures, other states can perceive such behavior as threatening, and respond accordingly. Underlying this dilemma is the difficulty of distinguishing “offensive” from “defensive” moves when trying to evaluate another state’s intentions. Ben Buchanan, a postdoctoral fellow at the Cyber Security Project at Harvard Kennedy School’s Belfer Center for Science and International Affairs, argues in his recent book, The Cybersecurity Dilemma, that the line between offense and defense is even blurrier in cyberspace.

NATO Warns Use of Article 5 Over Cyber Attack, Members Pledge Spending

Europe’s NATO members and Canada will jointly raise defense spending by 4.3 percent in 2017, NATO Secretary-General Jens Stoltenberg said on Wednesday, partly aimed at showing the United States they are committed to shouldering more costs. Stoltenberg also warned the alliance must step up its defence against cyberattacks, saying they could potentially trigger their Article 5 mutual defence commitment, reported the AFP.

Of all the things that define the United States in our eyes and in the eyes of the world, our military—for defense—and our democratic system of one-person-one-vote—for the continuation of the republic—are respected for their integrity and security of their controls. Any attempt to sabotage either one of these core national supports by an outside agent—be it one person or a nation state—should be considered war-like, if not actually an act of outright aggression. […] To me, that was, and remains, an act of war. And I want to hear the President and the Congress call it by its name.

“I can confirm that we are now using offensive cyber routinely in the war against Daesh, not only in Iraq but also in the campaign to liberate Raqqa and other towns on the Euphrates,” Fallon said, using the Arabic phrase for ISIS. “Offensive cyber there is already beginning to have a major effect on degrading Daesh’s capabilities.”

With more time to analyze the malware, researchers on Wednesday are highlighting some curious behavior for a piece of malware that was nearly perfect in almost all other respects: its code is so aggressive that it’s impossible for victims to recover their data. In other words, the researchers said, the payload delivered in Tuesday’s outbreak wasn’t ransomware at all. Instead, its true objective was to permanently wipe as many hard drives as possible on infected networks, in much the way the Shamoon disk wiper left a wake of destruction in Saudi Arabia.

Kaspersky Lab last night said that a government website for the city of Bakhmut in Ukraine was compromised and used in a watering hole attack to spread the malware via a drive-by download. “To our knowledge no specific exploits were used in order to infect victims. Instead, visitors were served with a malicious file that was disguised as a Windows update,” Kaspersky Lab said in a statement. “We are investigating other leads in terms of distribution and initial attack vector.”

Experts are still unsure about the attack’s origins or its real purpose. Given that the ransom amount – $300 – was relatively small, some are speculating that the attack may be a front for causing wider disruption or making a political statement. […] By creating a read-only file – named perfc – and placing it within a computer’s “C:\Windows” folder, the attack will be stopped in its tracks.

In a classic FBI investigative tactic, agents visited the homes of the employees at the end of the work day at multiple locations on both the east and west coasts, the sources said. There is no indication at this time that the inquiry is part of Special Counsel Robert Mueller’s investigation into Russian election meddling and possible collusion. Kaspersky has long been of interest to the U.S. government.

More than 1 in 4 respondents to a 2015 Biscom survey admitted taking data when they left a company. Of those, 85 percent said they took materials they created and didn’t feel it was wrong. And 95 percent of those who took data said it was possible because their employer didn’t have the tools or policies to prevent them, or that if their company did have policies, they ignored them. (Biscom is a secure file sharing service provider.)

Google must alter worldwide search results, per orders from Canada’s top court

The ruling is the “first global de-indexing order,” Canadian lawyer Barry Sookman, who represented literary and musical publishers in the case, told The Toronto Star. […] “This is not an order to remove speech that, on its face, engages freedom of expression values; it is an order to de-index websites that are in violation of several court orders,” wrote Judge Rosalie Abella. “We have not, to date, accepted that freedom of expression requires the facilitation of the unlawful sale of goods.”

The Cisco 2014 Annual Security Report warned that the worldwide shortage of cybersecurity professionals was at 1 million openings. Cybersecurity Ventures predicts there will be 3.5 million unfilled cybersecurity jobs globally by 2021 (and a zero-percent unemployment rate)—driven by cyber attacks and data breaches, which are growing in frequency and sophistication.

Microsoft is warning customers of a bug in its Azure Active Directory Connect product that could allow an adversary to escalate privileges and reset passwords and gain unauthorized access to user accounts. The advisory (4033453) was issued Tuesday via Microsoft’s TechNet website for the vulnerability which it rated “important.” The advisory includes ways to determine a company’s exposure to the vulnerable. Remediation includes upgrading to the latest version of Azure AD Connect (1.1.553.0).

Want more cybersecurity information?

We may also occasionally send you information about Critical Informatics products and solutions; you can unsubscribe at anytime if desired.Leave this field empty if you're human:

About Critical Informatics

We are world-class information security professionals providing Managed Detection and Response services to help you be secure, compliant, and resilient against threats to the life safety, life-sustaining, and quality-of-life systems and services you provide to clients, customers, constituents, and communities.